Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site to Site VPN using Cisco 2651XM and ASA5505

Hello Experts,

I have an issue setting up site to site VPN between Cisco 2651XM and ASA505.

Here's the config from both the devices.

On Cisco 2651XM

===============

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco12345 address 205.200.8.XXX

!

!

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

!

crypto map SDM_CMAP_2 1 ipsec-isakmp

description Tunnel to205.200.8.251

set peer 205.200.8.XXX

set transform-set ESP-DES-SHA

match address 102

qos pre-classify

interface Dialer1

ip nbar protocol-discovery

crypto map SDM_CMAP_2

On ASA 5505

===========

access-list 102 remark SDM_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list outside_6_cryptomap_1 extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto map outside_map 6 match address outside_6_cryptomap_1

crypto map outside_map 6 set pfs

crypto map outside_map 6 set peer 205.200.9.xxx

crypto map outside_map 6 set transform-set ESP-DES-SHA

crypto map outside_map interface outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

tunnel-group 205.200.9.203 type ipsec-l2l

tunnel-group 205.200.9.203 ipsec-attributes

pre-shared-key *

Here's the output log from ASA5505

IP = 205.200.9.XXX Received encrypted packet with no matching SA, dropping

Group = 205.200.9.XXX Username = 205.200.9.XXX IP = 205.200.9.XXX Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

Group = 205.200.9.XXX IP = 205.200.9.XXX Removing peer from correlator table failed, no match!

Group = 205.200.9.XXX, IP = 205.200.9.XXX, QM FSM error (P2 struct &0xd7b42260, mess id 0x84b2979c)!

Group = 205.200.9.XXX, IP = 205.200.9.XXX, All IPSec SA proposals found unacceptable!

Group = 205.200.9.XXX, IP = 205.200.9.XXX, PHASE 1 COMPLETED

Please help me out.

OJ

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Site to Site VPN using Cisco 2651XM and ASA5505

3 REPLIES

Re: Site to Site VPN using Cisco 2651XM and ASA5505

New Member

Re: Site to Site VPN using Cisco 2651XM and ASA5505

Went through the link. Tried doing what relates to my issue but no luck. Any other idea?

New Member

Re: Site to Site VPN using Cisco 2651XM and ASA5505

I found out the issue. It was PFS group issue. Sh crypto map command helped me. It was showing DH1, I changed it to DH2 and the issue was resolved. Thanks for your help though.

554
Views
0
Helpful
3
Replies
CreatePlease login to create content